Attorney Docket No. 275 12U 
Preliminary Amendment 

AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the 
application. 



Listing of Claims : 

Claims 1-38 (Cancelled) 

39. (Currently amended) An apparatus for monitoring configured to monitor and auditing audit 
activity in a network, the network utilizes an incremental protocol, the apparatus comprising: 

a) an analyzer operative to analyze intercepted packets conveyed by entities in the network 
and to generate analyzed data based on information associated with at least some of said 
packets, the analyzed data being indicative of sessions; 

b) a mirror manager responsive to said analyzed data for generating mirror data 
representative of mirror sessions, each mirror session corresponding to one of said 
sessions; and 

c) an audit event analyzer being responsive to said mirror data for pr ocessing at least pa rt 
of said data representative 0 f a mirror ooosion and generating event data representative 
of audit events that include inbound audit events and outbound audit events, said event 
data including characteristics relating to at least on-screen field location of data being 
part of the inbound audit events and outbound audit events i ncluding information for 
i nstructing a terminal how to draw screens to be displayed th e reon and serving to 
prompt a user to p e rform operations e ach in respect of a corresponding outbound aud it 

op e rations performed on the terminal in r e spect of said outbound audit events , said 
audit event analyzer further processing successive on e or more outbound audit events 
and one or more inbound audit events for incrementally generating cumulative being 
adapted to analyze said event data for extracting extracted data from event data 
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representative of a respective united an inbound audit event that combines pr e ceding 
outbound and together with the characteristics respective of said inbound audit events, 
event and to generate e vent data representative of a [[said]] united audit event 
including information that enables displaying a current status of mo scr e en on a 
t e rminal without requiring that the preceding outbound and inbound ovonto bo displayed 
prior thereto by combining the extracted data with one or more fields in event data 
representative of an outbound audit event based on said characteristics . 

40. (Currently amended) The apparatus of Claim 39, further comprising: 

a business event analyzer for processing at least part of said event data representative of 
outbound, inbound and united audit events and generating data representative of business events. 

4 1 . (Previously presented) The apparatus of Claim 40, further comprising: 

an alerts manager coupled to the business event analyzer and being responsive to said data 
representative of business events for generating alerts. 

42. (Previously presented) The apparatus of Claim 4 1 , wherein the alerts manager is configured 
to generate at least some of the alerts based on predetermined thresholds. 

43. (Previously presented) The apparatus of Claim 39, further comprising: 

a first long term storage device for storing at least part of said analyzed data. 

44. (Currently amended) The apparatus of Claim 3 9, further comprising: 

a second long term storage device for storing at least part of said mirror data representative 
of mirror sessions. 

45. (Currently amended) The apparatus of Claim 39, further comprising: 
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a compression agent for compressing at least part of the mirror data representative of 
mirror sessions. 

46. (Currently amended) The apparatus of Claim 39, further comprising: 

an encryption agent for encrypting at least part of the mirror data representative of mirror 
sessions. 

47. (Currently amended) The apparatus of Claim 39, further comprising: 

a signature agent for digitally signing at least part of the mirror data representative of 
mirror sessions. 

48. (Currently amended) A method [[for]] of monitoring and auditing activity in a network, the 
network utilizes an incremental protocol, the method comprising: 

a) analyzing intercepted packets conveyed by entities in the network; 

b) generating analyzed data based on information associated with at least some of said 
packets, the analyzed data being indicative of sessions; 

c) responsive to said analyzed data generating in respect of one or more of said sessions 
mirror data representative of one or more mirror sessions, each mirror session 
corresponding to a session; and 

proc e ssing at lea s t part of said data representative of a mirror session and generating 
event data representative of audit events that include inbound audit events and 
outbound audit events, said outbound audit events event data including information for 
instructing a terminal how to draw screens to be displayed th e r e on and serving to 
prompt a user to perform operations each in r e spect of a corresponding outbound audit 
e vent, and said inbound audit e vents including information representative of th e 
operations performed on the terminal in resp e ct of said outbound audit events, wherein 
processing further includes processing successive one or mor e outbound audit even ts 
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and one or more inbound audit events for incrementally generating cumulative data 
representative of a respectiv e) unit e d audit ev e nt that combines preceding outbound and 




relating to at least on-scre en field location of data being part of the inbound audit events 
and outbound audit events: 

e) extracting extracted dat a from event data representative of an inbound audit event 
together wit h the characteristics respective of said inbound audit event: and 

f) g enerating event data representative of a united audit event by combining the extracted 
data with one or more fi elds in event data representative of an outbound audit event 
based on said characteristics. 

49. (Currently amended) The method of Claim 48, further comprising: 

processing at least part of said event data representative of outbound, inbound and united 
audit events and generating data representative of business events. 

50. (Previously presented) The method of Claim 0, further comprising: 

responsive to said data representative of business events generating alerts in respect of at 
least one of said business events. 

5 1 . (Previously presented) The method of Claim 50, wherein generating at least some of the alerts 
is based on predetermined thresholds. 

52. (Previously presented) The method of Claim 48, further comprising: 
storing at least part of the analyzed data. 




displaying a current s tatus of the ; 
preceding outbound and inbound 



on a terminal without requiring that the 
be displayed prior thereto, characteristics 
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53. (Currently amended) The method of Claim 48, further comprising: 
storing at least part of the mirror data representative of mirror sessions. 

54. (Currently amended) The method of Claim 48, further comprising: 
compressing at least part of said mirror data representative of mirror sessions. 

55. (Currently amended) The method of Claim 48, further comprising: 
encrypting at least part of said mirror data representative of mirror sessions. 

56. (Currently amended) The method of Claim 48, further comprising: 

digitally signing at least part of said mirror data representative of mirror sessions. 

57. (Cancelled) 

58. (Currently amended) A computer program product comprising a computer useable 
medium having computer readable program code embodied therein for performing steps of claim 
48 ^monitoring and auditing activity of a network, the network utilizes an incr e mental protocol, 
the computer program - product comprising ? 

computer readabl e program cod e for causing the computer to analyz e intercept e d packe ts 
conveyed by entities in the network? 

computer readable program code for - causing the computer to g e n e rate analyzed data based 
on information associated with at least some of said packets, the analyzed data b e ing indicative of 

computer readabl e program code for causing the comput e r to generate responsiv e to said 
analyzed data and in respect of on e or more of said sessions, data representative of one or more 
mirror sessions, oach mirror session corresponding to a session; and 

computer readable program code for causing the computer to proc e ss at l e ast part of said 
data representativ e of a mirror s e ssion and generate data r e presentative of audit e vents that include 
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inbound audit e v e nts and outbound audit e vents, said outbound audit events including information 
for instructing a terminal how to draw s cr e ens to be displayed thereon and serving to prompt a 
us e r to perform operations e ach in respect of a corresponding outbound audit event, and Gaid 
inbound audit events including information representative of th e operations performed on the 
terminal in r e spect of said outbound audit cvonto, wh e r e in the computer readable program code is 
further configured to causing the computer to process succ e ssiv e one or more - outbound audit 
events and one or more inbound audit events for incr e mentally generating cumulative data 
representative of a r e spective united audit e vent that combines prec e ding outbound and inbound 
audit e vents, said united audit e vent including information that enables displaying a current status 
of the screen on a terminal without requiring that the preceding outbound and inbound e vents bo 
display e d prior ther e to, 

59. (New) The apparatus of claim 39, further comprising: 

a terminal responsive to said event data representative of a united audit event for 
displaying said united audit event without requiring that preceding outbound and inbound audit 
events be displayed prior thereto. 
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